Samba AD PDC Password Change Errors

[superchief]

Hi Everyone,

I have setup a samba Active Directory PDC to essentially eliminate the cost of using a Windows PDC. There are other reasons but I won't go into those now.

So everything works fine apart from a couple of things that are bugs in samba until 4.2 which isn't stable yet on debian (so i read).
The one thing that doesn't work is users trying to change their passwords. I can change them from either the PDC or through Windows users and groups. If a user tries to change it they will get the message:

"Mutual Authentication Failed. The server's password is out of date at the domain controller".

I have a funny feeling that this is a red herring but something is a miss. The packages I have installed and configured are:

samba
smbclient
smbldap-tools
ntp
krb5-user
krb5-admin-server
winbind

I provisioned the domain using samba-tool domain provision, i have configured kerberos and users can log in fine....it is simply changing passwords that are the issue. I am not sure if this is a samba config issue or where it is. If someone can point me in the right direction, it would be much appreciated. I would hate to have to fall back to a Windows PDC.

Below is my samba config, the [domain] is of course an actual domain on the server.

Samba Config:

# Global parameters
[global]
workgroup = [domain short]
realm =[domain]
netbios name = BILBO
server role = active directory domain controller
dns forwarder = 8.8.8.8
logon path = \\%L\users\%U
# pam password change = yes
logon home = \\%L\users\%U
wins support = no
winbind separator = +
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes

[netlogon]
path = /var/lib/samba/sysvol/[domain]/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No

[Users]
directory_mode: parameter = 0700
read only = no
path = /users
csc policy = documents

many thanks